[Python-Dev] Releases for recent security vulnerability
Antoine Pitrou
solipsis at pitrou.net
Fri Apr 15 14:59:40 CEST 2011
On Fri, 15 Apr 2011 08:36:16 -0400
Jesse Noller <jnoller at gmail.com> wrote:
> On Fri, Apr 15, 2011 at 8:30 AM, Brian Curtin <brian.curtin at gmail.com> wrote:
> >
> > On Apr 15, 2011 3:46 AM, "Gustavo Narea" <me at gustavonarea.net> wrote:
> >>
> >> Hi all,
> >>
> >> How come a description of how to exploit a security vulnerability
> >> comes before a release for said vulnerability? I'm talking about this:
> >> http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html
> >>
> >> My understanding is that the whole point of asking people not to
> >> report security vulnerability publicly was to allow time to release a
> >> fix.
> >
> > To me, the fix *was* released. Sure, no fancy installers were generated yet,
> > but people who are susceptible to this issue 1) now know about it, and 2)
> > have a way to patch their system *if needed*.
> >
> > If that's wrong, I apologize for writing the post too early. On top of that,
> > it seems I didn't get all of the details right either, so apologies on that
> > as well.
>
> The code is open source: Anyone watching the commits/list know that
> this issue was fixed. It's better to keep it in the public's eyes, so
> they know *something was fixed and they should patch* than to rely on
> people *not* watching these channels.
>
> Assume the bad guys already knew about the exploit: We have to spread
> the knowledge of the fix as far and as wide as we can so that people
> even know there is an issue, and that it was fixed. This applies to
> users and *vendors* as well.
True. However, many open source projects take the habit of cutting a
release when a hole is discovered and fixed. It depends how seriously
they (and their users) take security. Of course, there are different
kinds of security issues, more or less severe. I don't know how severe
the above issue is.
Relying on a vendor distribution (such as a Linux distro, or
ActiveState) is hopefully enough to get these security updates in time
without patching anything by hand. I don't think many people compile
Python for production use, but many do use our Windows installers.
Regards
Antoine.
More information about the Python-Dev
mailing list